blob: 19075fbd73b5c77b2d99877ac56ce721985afadd [file] [log] [blame]
Ed Tanous52cc1122020-07-18 13:51:21 -07001#pragma once
2
Ed Tanous2205bbf2021-06-17 13:33:47 -07003#include <bmcweb_config.h>
4
Ed Tanous04e438c2020-10-03 08:06:26 -07005#include <http_response.hpp>
Ed Tanous52cc1122020-07-18 13:51:21 -07006
Ed Tanous0260d9d2021-02-07 19:31:07 +00007inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],
8 crow::Response& res)
Ed Tanous52cc1122020-07-18 13:51:21 -07009{
10 /*
11 TODO(ed) these should really check content types. for example,
12 X-UA-Compatible header doesn't make sense when retrieving a JSON or
13 javascript file. It doesn't hurt anything, it's just ugly.
14 */
15 using bf = boost::beast::http::field;
16 res.addHeader(bf::strict_transport_security, "max-age=31536000; "
17 "includeSubdomains; "
18 "preload");
19 res.addHeader(bf::x_frame_options, "DENY");
20
21 res.addHeader(bf::pragma, "no-cache");
22 res.addHeader(bf::cache_control, "no-Store,no-Cache");
23
24 res.addHeader("X-XSS-Protection", "1; "
25 "mode=block");
26 res.addHeader("X-Content-Type-Options", "nosniff");
27
Ed Tanouse662eae2022-01-25 10:39:19 -080028 if (bmcwebInsecureDisableXssPrevention == 0)
Ed Tanous0260d9d2021-02-07 19:31:07 +000029 {
30 res.addHeader("Content-Security-Policy", "default-src 'none'; "
31 "img-src 'self' data:; "
32 "font-src 'self'; "
33 "style-src 'self'; "
34 "script-src 'self'; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -070035 "connect-src 'self' wss:; "
36 "form-action 'none'; "
37 "frame-ancestors 'none'; "
Jiaqing Zhao91ac2e52022-03-17 00:18:58 +080038 "object-src 'none'; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -070039 "base-uri 'none' ");
Ed Tanous0260d9d2021-02-07 19:31:07 +000040 // The KVM currently needs to load images from base64 encoded
41 // strings. img-src 'self' data: is used to allow that.
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -070042 // https://stackoverflow.com/questions/18447970/content-security-polic
43 // y-data-not-working-for-base64-images-in-chrome-28
Ed Tanous0260d9d2021-02-07 19:31:07 +000044 }
45 else
46 {
47 // If XSS is disabled, we need to allow loading from addresses other
48 // than self, as the BMC will be hosted elsewhere.
49 res.addHeader("Content-Security-Policy", "default-src 'none'; "
50 "img-src *; "
51 "font-src *; "
52 "style-src *; "
53 "script-src *; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -070054 "connect-src *; "
55 "form-action *; "
56 "frame-ancestors *; "
Jiaqing Zhao91ac2e52022-03-17 00:18:58 +080057 "object-src *; "
Basheer Ahmed Muddebihal09e7afd2021-03-17 00:55:57 -070058 "base-uri *");
Ed Tanous52cc1122020-07-18 13:51:21 -070059
Ed Tanous0260d9d2021-02-07 19:31:07 +000060 const std::string_view origin = req.getHeaderValue("Origin");
61 res.addHeader(bf::access_control_allow_origin, origin);
62 res.addHeader(bf::access_control_allow_methods, "GET, "
63 "POST, "
64 "PUT, "
65 "PATCH, "
66 "DELETE");
67 res.addHeader(bf::access_control_allow_credentials, "true");
68 res.addHeader(bf::access_control_allow_headers, "Origin, "
69 "Content-Type, "
70 "Accept, "
71 "Cookie, "
72 "X-XSRF-TOKEN");
73 }
Ed Tanous52cc1122020-07-18 13:51:21 -070074}